CISA has released the first binding operational directive (BOD) of the year, mandating that federal civilian agencies remediate security vulnerabilities exposed in the wild within a short timeframe.
BOD 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities) pertains to both internet-facing and non-internet-facing government information systems, including those controlled by federal agencies or third parties on their behalf.
The purpose of this government-wide order is to enable federal agencies and public/private sector companies to keep up with continuing threat activity by enhancing vulnerability management techniques and lowering their cyberattack exposure.
CISA Director Jen Easterly said that BOD 22-01, which specifies deadlines for remediation of known exploited vulnerabilities and demands improvements in vulnerability management systems, is a significant step in securing Federal Civilian Networks.
CISA has released a list of hundreds of exposed security flaws that expose government systems to severe dangers if effectively exploited by threat actors.
Agencies must fix the security weaknesses mentioned in the known exploited vulnerabilities catalog within the timeframes established by CISA:
In the following two weeks, until November 17, 2021, flaws abused this year should be corrected.
Until May 3, 2022, flaws abused until the end of 2020 shall be corrected within six months.
The catalog currently contains 200 vulnerabilities found between 2017 and 2020, and 90 from 2021, with CISA planning to constantly update it with newly discovered vulnerabilities that meet the following criteria:
A CVE (Common Vulnerabilities and Exposures) ID has been issued to the vulnerability.
There’s solid evidence that the flaw has been actively exploited in the wild.
The vulnerability has a defined remedial step, such as a vendor-provided update.
In addition to this instruction, CISA also requires federal agencies to examine and improve their internal vulnerability management policies within 60 days. They’ll also be required to provide quarterly patch status reports through CyberScope or the CDM Federal Dashboard.
CISA further said that security flaws previously been exploited by hostile cyber actors of all sorts are a common attack vector for harmful cyber actors of all types.
Agencies and the federal government are in danger as a result of these flaws. To defend government information systems and avoid cyber incidents, it is critical to repair known exploited vulnerabilities quickly.